Limit stack depth when missing tags hit resetInsertionMode()

Fixes #1606

CHANGES

@@ -47,6 +47,10 @@ jsoup changelog
     vs being able to read in one hit.
     <https://github.com/jhy/jsoup/issues/1605>
 
+  * Bugfix [Fuzz]: Speed improvement when closing missing empty tags (in XML comment processed as HTML) when thousands
+    deep in stack.
+    <https://github.com/jhy/jsoup/issues/1606>
+
 *** Release 1.14.1 [2021-Jul-10]
   * Change: updated the minimum supported Java version from Java 7 to Java 8.
 

src/main/java/org/jsoup/parser/HtmlTreeBuilder.java

@@ -443,7 +443,10 @@ private void replaceInQueue(ArrayList<Element> queue, Element out, Element in) {
     void resetInsertionMode() {
         // https://html.spec.whatwg.org/multipage/parsing.html#the-insertion-mode
         boolean last = false;
-        for (int pos = stack.size() -1; pos >= 0; pos--) {
+        final int bottom = stack.size() - 1;
+        final int upper = bottom >= maxQueueDepth ? bottom - maxQueueDepth : 0;
+
+        for (int pos = bottom; pos >= upper; pos--) {
             Element node = stack.get(pos);
             if (pos == 0) {
                 last = true;

src/test/java/org/jsoup/integration/FuzzFixesTest.java

@@ -171,4 +171,14 @@ public void parseTimeout1605() throws IOException {
         Document docXml = Jsoup.parse(new FileInputStream(in), "UTF-8", "https://example.com", Parser.xmlParser());
         assertNotNull(docXml);
     }
+
+    @Test
+    public void parseTimeout1606() throws IOException {
+        // https://github.com/jhy/jsoup/issues/1606
+        // Timesink when closing missing empty tag (in XML comment processed as HTML) when thousands deep
+        File in = ParseTest.getFile("/fuzztests/1606.html.gz");
+
+        Document docXml = Jsoup.parse(new FileInputStream(in), "UTF-8", "https://example.com", Parser.xmlParser());
+        assertNotNull(docXml);
+    }
 }